Firewall Wizards mailing list archives
RE: Flat vs Segmented DMZ's
From: "Scott, Richard" <Richard.Scott () BestBuy com>
Date: Thu, 7 Nov 2002 10:26:35 -0600
<snip> A fairly standard web app has multiple layers: the front-end web server, some middleware, perhaps some AAA software, and a database. So you run a web server. That means it is very likely to get hacked (IIS, Apache, Sun ONE - they have all had nasty security bugs). So now your web server has an intruder - what can they do? They can almost certainly do anything your web app can do. This means the hacker can communicate with the other web app systems, via the same channels (and with the same authentication) as your web app. Packet-filtering compartmentalization (by itself) does not solve this problem. Something like a database proxy that enforces read-only access might, however. Also, assuming that _all_ of your components are compartmentalized, the hacker may flood one to three compartments, but still may not be able to get into your main network. Of course, if your database servers are on your main backbone... I'm often confused why people think that proxies are the answer here. It seems you are describing a web site that is for reference only, certainly not a commerce site with read only access to the database. </snip> I think a good strategy would involve identifying the risk factors and limiting that exposure. Commerce architecture in essence is far more heavily built upon that standard hosting web sites that just display content. Obviously, the first task would be to prevent and screen out common attacks at the border prior to your web farm. The next layer would involve either grouping you app with your web or your app with the database. This is common due to the connections between these entities. I always hold the assumption that given the design, should one of your web servers become compromised, it should be at least more difficult to obtain further access to the next layer. Obviously, the attack could use any protocol you are allowing through your firewall. The interesting part is being able to not allow insecure protocols through the firewall and have adequate detection devices to alert you to anything abnormal. It's a common myth in the business world that placing a firewall in your DMZ is the be all and end all for security. I often see wide open holes that would not prevent attacks. The importance of segmentation, is to be able isolate your network to the point where it could be far more easily to identify an attack. If the attack stumbles across a web server and decides to directly access the database, the firewall should prevent this if it is not needed. The attacker then would like to own the application server. Accordingly, the subset of attacks now available has shrunk, hopefully because with each layer you are reducing the available protocols. Here, one could monitor connections to the database that are not part of the connection pooling behavior, or contains irregular network traffic. Obviously Irregular network traffic is a big grey area. However, all the attack would have to do would be to understand where the security credentials exist to be able to build a connection to the database, and understand the schema. So really, segmentation isn't going to prevent attacks if your web/app layer is inadequate. By the time they have figured out the schema of your database, do obtain confidential information, I would expect your IR team to have been alerted. I think the morale of the story is that segmentation offers extra protection, by limiting the attacks but if the architecture is well understood, the attacker could compromise a segmented site if the trust between the segments can be exploited. If the DMZ was flat, I would expect a compromise on one box would lead to a compromise of another box on the same DMZ, with as much or less effort than the first compromise, however, it may not be possible to affect other systems outside of that flat DMZ boundary, given one could host several applications in different DMZ's but within each application the servers are not segmented. Think of segmentation of DMZ's like a multiple road blocks. A road leads in, somehow, it just a matter of knowing how. The road was built to support traffic, however, the road blocks provide simple checks to reduce whom can travel upon those roads. The biggest step forward for web sites are the availability of attack detection and prevention devices that are sold to prevent attacks being executed. These tools tend to be termed application based intrusion prevention tools. To some businesses a defaced web site can mean just as much revenue lost than stolen data. <end rant> Cheers r. _______________________________________________ firewall-wizards mailing list firewall-wizards () honor icsalabs com http://honor.icsalabs.com/mailman/listinfo/firewall-wizards
Current thread:
- Flat vs Segmented DMZ's WhtWlf2001 (Nov 06)
- Re: Flat vs Segmented DMZ's Paul Robertson (Nov 06)
- Re: Flat vs Segmented DMZ's Dave Piscitello (Nov 06)
- Re: Flat vs Segmented DMZ's Mikael Olsson (Nov 06)
- Re: Flat vs Segmented DMZ's Carson Gaspar (Nov 06)
- Re: Flat vs Segmented DMZ's Luca Berra (Nov 21)
- <Possible follow-ups>
- RE: Flat vs Segmented DMZ's Scott, Richard (Nov 07)